Cybercrime poses a serious threat to companies of all industries and sizes - this is widely known. The repertoire ranges from espionage to sabotage to blackmail. However, the danger does not only come from the Internet. Your own employees can also be a serious risk factor. Especially if your company has not taken appropriate measures - take a look at Annex A.7 of ISO 27001.
A well-structured information security management system (ISMS) in accordance with the ISO 27001 standard provides the basis for effectively implementing a holistic information security strategy. The systematic approach helps to protect confidential company data from loss and misuse and to reliably identify potential risks to the company, analyze them and make them controllable through appropriate measures. This involves much more than just the aspects of IT security. The implementation of the measures in Annex A of the standard is particularly valuable for practice.
ISO/IEC 27001:2013: Information technology — Security techniques — Information security management systems — Requirements
Annex A of ISO 27001: Practically relevant
In addition to the management system-oriented requirements section (chapters 4 to 10), the ISO standard's Annex A contains an extensive list of 35 measure targets (controls) with 114 concrete measures on a wide range of security aspects across 14 chapters.
Note: The statements referred to as "measures" in Annex A are actually individual targets (controls). They describe what a standard-compliant result of suitable (individual) measures should look like.
Companies should use these controls as a basis for their individual, more in-depth structuring of their information security policy. With regard to the topic of personnel, the measure objective "Personnel security" in Appendix A.7 is of particular interest.
"The measures do not rely on distrust of employees, but on clearly structured personnel processes."
Personnel processes ensure across all phases of employment that responsibilities and duties are assigned with regard to information security and that compliance is monitored. Violations of the information security policy - both intended and unintended - are thus not impossible, but they are made much more difficult. And if worst comes to worst, an effective ISMS provides the organization with appropriate mechanisms for dealing with the breach.
Information security is not mistrust
It is by no means a matter of mistrust if a company issues appropriate guidelines to make unauthorized access from the inside more difficult or, better still, to prevent it altogether. After all, one thing is clear: If an employee's termination is imminent or has already been announced, his or her dissatisfaction can lead to targeted data theft. This happens especially when the terminated employee believes he or she has proprietary rights to project data. Conversely, an application for a particular job may already be made with the intent to commit a criminal act.
Other scenarios indicate grossly negligent behavior or simply recklessness, which can have similarly serious consequences. It happens, for example, that entire IT departments do not adhere to their own rules - too cumbersome, too time-consuming. In the office, it's the careless handling of passwords or unprotected smartphones. But also careless connecting of USB sticks, open documents on the screen, secret documents in empty offices - the list of possible omissions is long.
Annex A.7 of ISO 27001 - Personnel security
Companies that have implemented an information security management system (ISMS) in accordance with the ISO 27001 standard are in a better position here. They know the requirements and the practice-relevant Annex A.7 of the internationally recognized standard. Because ISO 27001 has a lot to offer here: Although the reference measures refer directly to the standard requirements, they are always aimed at direct company practice.
Companies with an effective ISMS are familiar with the targets specified in A.7, which must be implemented with a view to personnel security for full compliance with the standard - across all phases of employment.
What does the ISO 27001 standard say in Annex A.7?
Measures before employment
The organization must ensure that a new employee understands their future responsibilities and is suitable for their role before employing them - according to Annex A.7.1. In the requirements section (Chapter 7.2), the standard talks about "competence."
As a goal-oriented reference measure, applicants for a job first receive a security clearance that complies with ethical principles and applicable laws. This check must be appropriate in relation to business requirements, the classification of the information to be obtained and possible risks (A.7.1.1). In order to be able to achieve this, the following should, among other things, be in place, ensured or verified:
- A procedure for obtaining information (how and under what conditions)
- A list of legal and ethical criteria to be observed
- The security check must be appropriate, related to risks and the company's needs
- The plausibility and authenticity of C.V., financial statements and other documents
- The trustworthiness and competence of the applicant for the intended position
The next step is about employment and contractual terms. So, this reference measure in Annex A of ISO/IEC 27001 consists of the contractual agreement on what responsibilities employees have towards the company and vice versa (A.7.1.2). Successful implementation of this requirement includes, among other things, the fulfillment of these points:
- The signing of a confidentiality agreement by the employee (contractor) with access to confidential information
- A contractual obligation on the part of the employee (contractor) to comply with, for example, copyright or data protection issues
- A contractual provision on the responsibility of employees (contractors) when handling external information
During employment - The responsibilities of top management.
Employees must be aware of their information security responsibilities. This is the goal of A.7.2, and more importantly, employees must live up to these responsibilities.
The first measure (A.7.2.1) is aimed at management's obligation to encourage its employees to implement information security in accordance with established policies and procedures. To this end, the following points must be regulated as a minimum:
- In what way does top management encourage employees to implement? Where are there risks?
- How does it ensure that employees are aware of the implemented guidelines for dealing with information security?
- How does it check whether employees adhere to the guidelines for handling information security?
- How do they motivate their employees to implement policies and procedures and to apply them securely?
In chapter 7.3 "Awareness", ISO 27001 requires that persons performing relevant activities are aware of the following
- Of the organization's information security policy
- Of the contribution they make to the effectiveness of the information security management system (ISMS)
- The benefits of improved information security performance
- The consequences of not meeting the requirements of the ISMS
New employees in particular need regular information on the subject, e.g., by e-mail or via the intranet, in addition to the mandatory briefing on information security issues. Concrete training (especially on emergency plans and exercises), topic-specific workshops and awareness campaigns (e.g., via posters) strengthen awareness of the information security management system.
For example, reference measure A.7.2.1 in Annex A of ISO 27001 also serves to create appropriate awareness of information security. Organizations must train and educate their employees and, where appropriate, their contractors on professionally relevant topics. Corresponding policies and procedures must be updated regularly. The following aspects, among others, must be taken into account:
- The manner in which top management, for its part, is committed to information security
- The nature of professional education and training
- The frequency with which policies and procedures are reviewed and updated
- Other tools that are used
- Concrete measures to familiarize employees with internal information security policies and procedures
TIP: Ensure well-functioning communication with multiple channels for knowledge transfer. This is because the awareness of the ISMS and related aspects required by the standard is closely related to the transfer of knowledge.
Annex 7.2.3: This measure specifies the manner in which the organization will handle reprimands in the event of information security violations. The basis for this is a corrective action process. It shall be formally defined, established, and announced. The following must be ensured:
- Criteria must exist according to which the severity of a violation of the information security policy is classified
- The disciplinary process must not violate applicable laws
- The disciplinary process must contain measures that motivate employees to change their behavior in a positive way in the long term
End of employment - Responsibilities
Annex A.7.3 of ISO 27001 specifies as a target an effective termination or change process to protect the interests of the organization. This objective focuses on the responsibilities for termination or change of employment. Accordingly, information security-related responsibilities and obligations that remain after termination or change of employment must be defined, communicated, and enforced. It makes sense to consider these aspects:
- Agreements in employment contracts on how employees are to deal with continuing information security-relevant responsibilities and duties after termination of employment
- Monitoring mechanisms to ensure compliance with these agreements
- Procedures for enforcing compliance with continuing responsibilities and duties
Cyber security through systematic personnel security
The threat from within is real - and most companies are aware of it. According to a security study (Balabit 2018), employees who have wide-ranging access rights are particularly vulnerable to attack. And with employees involved in 50 percent of all security breaches, 69 percent of responding IT professionals consider a breach of insider data to be the greatest risk. Yet little is being done about it. In practice, it is often difficult to make accusations against in-house staff. Especially in small and medium-sized enterprises (SMEs), where people know each other, a certain amount of trust is often placed in them - sometimes with unpleasant consequences. Well-structured information security management provides the basis for ensuring the security of information that requires protection.
Conclusion: ISO 27001 in practice - Annex A
In Annex A.7, ISO/IEC 27001 provides reference measures for personnel security that must be implemented as part of the introduction of the standard. Companies should use these controls as a basis for their individual, more in-depth design of their information security policy. The measures do not rely on mistrust of employees, but on clearly structured personnel processes.
Expertise and trust
Certified companies value management systems as tools for top management that create transparency, reduce complexity and provide security. However, management systems do even more: Assessed and certified by a neutral and independent third party such as DQS , they create trust with interested parties in your company's performance.
Many organizations still experience certification as a compliance check. Our customers, on the other hand, see it as an opportunity to focus on success-critical factors and the results of their management system. Because our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new standards in reliability, quality and customer orientation at all times
Certification according to ISO 27001
How much work do you have to do to have your information security management system certified to ISO 27001? Find out free of charge and without obligation.
Please note: Our articles are written exclusively by our in-house management system experts and long-standing auditors. If you have any questions for our authors on information security (ISMS), please contact us. We look forward to talking with you.